Getting Data In
Highlighted

Having issues with universal forwarder

Path Finder

I checked that there are no firewall issues.

On the universal forwarder in splunkd.log:

07-15-2013 13:09:50.264 -0700 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997
07-15-2013 13:09:52.395 -0700 INFO BatchReader - Removed from queue file='/opt/splunkforwarder/var/log/splunk/metrics.log.1'.
07-15-2013 13:09:52.636 -0700 INFO WatchedFile - Will begin reading at offset=4575529 for file=

On splunk server in splunkd.log

07-15-2013 14:36:05.672 -0400 INFO BatchReader - Removed from queue file

I am not sure why I dont see logs in indexer. Not sure what I might be missing?

Here are the files:

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf

[monitor:///log1/log2/log3]
sourcetype = syslog
index = syslog
disabled = false
crcSalt =
ignoreOlderThan = 1d
host_segment = 4

/opt/splunkforwarder/etc/system/local/outputs.conf

[tcpout]
defaultGroup=syslog_index
disabled = false

Forward the internal indexes as well as the non-internal ones

forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = _.*

[tcpout:syslog_index]
server=splunkserver:9997

0 Karma
Highlighted

Re: Having issues with universal forwarder

Communicator

Do you have anything defined as part of inputs on your forwarder? You can verify by doing:

  $SPLUNK_HOME/bin/splunk list monitor

If you want the internal logs forwarded in, you may have to explicitly allow them in through outputs.conf configuration:

[tcpout]
defaultGroup = GroupName
disabled = false
# Forward the internal indexes as well as the non-internal ones
forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = _.*
0 Karma
Highlighted

Re: Having issues with universal forwarder

Path Finder

Yes I have defined stanza in inputs.conf file. Even after adding your configuration in output.conf file I still dont the logs coming in. Just not sure why?

0 Karma
Highlighted

Re: Having issues with universal forwarder

Communicator

Did you set up your indexer to listen for incoming data, on the port you've defined in outputs.conf? Should be able to use the following command to see:

$SPLUNK_HOME/bin/splunk display listen

0 Karma
Highlighted

Re: Having issues with universal forwarder

Path Finder

Yes.

Here is the output:
Receiving is enabled on port 9997.

0 Karma
Highlighted

Re: Having issues with universal forwarder

Champion

If you can provide your outputs.conf and inputs.conf from your UF.

0 Karma
Highlighted

Re: Having issues with universal forwarder

Path Finder

I have updated the info.

0 Karma
Highlighted

Re: Having issues with universal forwarder

Champion

So you only have one tcpout configured on your UF? have you defined an index called syslog on your Indexer? On your indexer do you see any within your metrics.log regarding data being sent from your UF? Is this the only input defined on your UF?

Highlighted

Re: Having issues with universal forwarder

Path Finder

So you only have one tcpout configured on your UF?
Yes.

have you defined an index called syslog on your Indexer?
No.

On your indexer do you see any within your metrics.log regarding data being sent from your UF?

Sometime it shows and then its gone.

Is this the only input defined on your UF?

Yes

0 Karma
Highlighted

Re: Having issues with universal forwarder

Champion

If you are defining index = syslog for your input on your UF you need to have a index called syslog on your indexer.